Comment 14 for bug 1536871

Hi Seth,

Verification of the firmware LVFS metadata: https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L947 which then uses https://github.com/hughsie/fwupd/blob/master/src/fu-keyring.c#L340

Verification of the cab file: https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L495 after the PolicyKit auth, then uses https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L323 to work out the trust status. We don't check the firmware.inf as we don't use that in fwupd, only in the LVFS for the version for display.

The digest is "digest algo 8" which is SHA-256 already.

Richard